salt.renderers.aws_kms

Renderer that will decrypt ciphers encrypted using AWS KMS Envelope Encryption.

Any key in the data to be rendered can be a urlsafe_b64encoded string, and this renderer will attempt to decrypt it before passing it off to Salt. This allows you to safely store secrets in source control, in such a way that only your Salt master can decrypt them and distribute them only to the minions that need them.

The typical use-case would be to use ciphers in your pillar data, and keep the encrypted data key on your master. This way developers with appropriate AWS IAM privileges can add new secrets quickly and easily.

This renderer requires the boto3 Python library.

Setup

First, set up your AWS client. For complete instructions on configuration the AWS client, please read the boto3 configuration documentation. By default, this renderer will use the default AWS profile. You can override the profile name in salt configuration. For example, if you have a profile in your aws client configuration named "salt", you can add the following salt configuration:

aws_kms:
  profile_name: salt

The rest of these instructions assume that you will use the default profile for key generation and setup. If not, export AWS_PROFILE and set it to the desired value.

Once the aws client is configured, generate a KMS customer master key and use that to generate a local data key.

# data_key=$(aws kms generate-data-key --key-id your-key-id --key-spec AES_256
             --query 'CiphertextBlob' --output text)
# echo 'aws_kms:'
# echo '  data_key: !!binary "%s"\n' "$data_key" >> config/master

To apply the renderer on a file-by-file basis add the following line to the top of any pillar with gpg data in it:

#!yaml|aws_kms

Now with your renderer configured, you can include your ciphers in your pillar data like so:

#!yaml|aws_kms

a-secret: gAAAAABaj5uzShPI3PEz6nL5Vhk2eEHxGXSZj8g71B84CZsVjAAtDFY1mfjNRl-1Su9YVvkUzNjI4lHCJJfXqdcTvwczBYtKy0Pa7Ri02s10Wn1tF0tbRwk=
salt.renderers.aws_kms.render(data, saltenv='base', sls='', argline='', **kwargs)

Decrypt the data to be rendered that was encrypted using AWS KMS envelope encryption.